Vikunja Desktop Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Vikunja Desktop Electron application, affecting versions 0.21.0 prior to 2.2.0. The issue arises because 'nodeIntegration' is enabled in the main BrowserWindow, allowing JavaScript to execute with full Node.js access. Additionally, the application does not restrict same-window navigations, enabling an attacker to exploit user-generated content links to execute arbitrary code on the victim's machine.

Impact

Exploitation of this vulnerability allows for full remote code execution on the victim's desktop, with the attacker able to execute arbitrary commands, access and modify files, install malware or backdoors, and exfiltrate sensitive data and credentials.

Reproduction

To reproduce this vulnerability, set up a Vikunja instance and create a project shared between two users. The attacker should edit a project description to include a link to a hosted HTML page (poc.html) that executes a JavaScript command using Node.js functionality, such as opening a program like 'calc.exe'. When the victim clicks the link, the code executes on their machine.

Remediation

Users can update to Vikunja version 2.2.0 or later, where this vulnerability has been fixed.